1 / 59

Tutorial: Multiparty Computation for Honest Majority Ivan Damgård Århus University

Tutorial: Multiparty Computation for Honest Majority Ivan Damgård Århus University. The MPC problem, brief reminder n players P1, P2, …, Pn Player Pi holds input xi

essien
Download Presentation

Tutorial: Multiparty Computation for Honest Majority Ivan Damgård Århus University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Tutorial: Multiparty Computation for Honest Majority Ivan Damgård Århus University

  2. The MPC problem, brief reminder • n players P1, P2, …, Pn • Player Pi holds input xi • Goal: for some given function f with n inputs and n outputs, compute f(x1,…,xn)= (y1,…,yn) securely, i.e., we want a protocol such that: • Pi learns the correct value of yi • Outputs are the only new information leaked • We want this to hold, even when (some of) the players behave adversarially.

  3. Modelling Adversarial Behavior • Assume one central adversary Adv. Adv may corrupt some of the players and use this to learn information he should not know, or mess up the results. • When Pi is corrupted, Adv learns complete history of Pi. • An adversary may be • Passive or Active: just monitor corrupted players or take full control. • Static or Adaptive: all corruptions take place before protocol starts, or happen dynamically during protocol (but once you’re corrupt, you stay bad). • Unbounded or probabilistic polynomial time

  4. Bounds on corruption If Adv can corrupt an arbitrary subset of players, in most cases problem cannot be solved – for instance, what does security mean if everyone is corrupted? So need to define some bound on which subsets can be corrupt. Adversary StructureΓ: family of subsets of P= {P1,…,Pn} Adv is a Γ-adversary: set of corrupted players is in Γ at all times To make sense, Γ must be monotone: BΓ and A  B implies AΓ i.e. If Adv can corrupt set B, he can choose to corrupt any smaller set. Threshold-t structure: contains all subsets of size at most t. Γ is Q3: for any A1,A2,A3  Γ, A1A2 A3 is smaller than P Γ is Q2: for any A1,A2  Γ, A1A2 is smaller than P Threshold-t structure for t< n/3 is Q3 Threshold-t structure for t< n/2 is Q2

  5. Why General Access Structures? • And not just a bound on the number of players that can be corrupt? • Threshold adversaries (where we just bound the number of corruptions) make sense in a network where all nodes are equally hard to break into. This is often not the case in practice. • With general access structures, we can express things such as: the adversary can break into a small number of the more secure nodes and a larger number of less secure ones.

  6. Modelling Communication • In this lecture: • Synchronous network: communication proceeds in rounds – in each round each player may send a message to each other player, all messages received in same round. • Two main variants: • Information Theoretic scenario: Adv does not see communication between honest (uncorrupted) players  can get security for unbounded Adv (this lecture). • Cryptographic scenario: Adv sees all messages sent, but cannot change messages exchanged between honest players  can only get security for (poly-time) bounded Adv.

  7. Summary The players Corruption can be passive: just observe computation and mess. x2, y2 x1, y1 Or active: take full control Inputs, Desired outputs Synchronous communication Corrupt Adv x3, y3 x4,y4 I.T. scenario: no info on honest-to-honest mess. Adv can choose which players to corrupt statically or adaptively – but set of corrupted players must be ”not too large”, i.e., it must be in the given adversary structure

  8. Known Results, Information theoretic scenario • Passive, adaptive, unbounded Γ-adversary: any function can be securely computed with perfect security iff Γ is Q2 in threshold-t case, if and only if t< n/2 • Meaning of ”only if”: there exists a function that cannot be computed securely, if condition on Γ (t) not satisfied. • Active, adaptive, unbounded Γ-adversary: any function can be securely computed with perfect security iff Γ is Q3 in threshold-t case, iff t< n/3 • If we assume that a broadcast channel is given for free, and we accept a non-zero error probability, more is possible: • i.t. scenario with broadcast and active, adaptive, unbounded Γ-adversary: any function can be securely computed with small error prob. iff Γ is Q2 in threshold-t case, iff t< n/2 • Results of [CCD88, BGW88, RB89, HM99,CDDHR00]

  9. Known Results, Cryptographic Scenario • Passive, adaptive, polynomial time adversary: Assuming one-way trapdoor permutations exist, any function can be securely computed with computational security if number of corrupted players is < n. • Active, adaptive, polynomial time Γ-adversary: Assuming one-way trapdoor permutations exist, any function can be securely computed with computational security iff Γ is Q2 in threshold-t case, iff t< n/2. • Results of [Y86, GMW87,CFGN]

  10. (UC) Definition of Security, Brief reminder. • Define two processes: • The Real Process • The Ideal Process • In the Real Process, we have the adversary Adv and the players executing the protocol . • In the Ideal Process, we still have the same Adv, but  is replaced by an ideal functionality F plus a simulator S. • We will say that securely realizes F if Adv cannot tell whether he is in the real or in the ideal process. • Role of S in a nutshell: • - Sits between Adv and F • - Must simulate Adv’s view of protocol, given only the interface offered by F: can define input for corrupt players, see their outputs

  11. Secret Sharing (Shamir’s scheme) • A Dealer holds a secret value s in Fp, p > n is a prime. • Dealer chooses a random polynomial f() over Fp of degree at most t, such that f(0)=s: • f(x) = s + a1 x + a2 x2+ …+ at xt • Dealer sends si = f(i) privately to Pi. • Properties: • Any subset of at most t players has no information on s • Any subset of at least t+1 players can easily compute s – can be done by taking a linear combination of the shares they know. • A consequence – the reconstruction vector: • There exists a reconstruction vector (r1,…,rn) such that for any polynomial h() of degree less than n: • h(0) = r1 h(1) + … + rn h(n)

  12. Using Secret Sharing to Represent Private Values. • AfterDealer has sendt si = f(i) privately to Pi, we know that • An adversary corrupting most t players has no information on s • If t<n/2, then the honest players can reconstruct s. • A secure way to represent the value s. Notation: a f() a1, a2, …, an means: value a has been shared using polynomial f(), resulting in shares a1,…,an, where player Pi knows ai.

  13. A Protocol for the Passive Corruption Case, I.T. scenario • threshold adversary, may corrupt up to t players, t< n/2. Circuit and inputs given Create ”objects” representing inputs, jointly held by players, value not accessible to adversary. Computing phase: compute new objects. Open outputs 1 7 3 2 + · 6 8 · 48 Create Objects (Sharing Phase): Each Pi shares each of his input value using a random polynomial of degree at most t, sends a share of each input to each player. a f() a1, a2, …, an

  14. Computation Phase Addition Gates Input: a fa() a1,…,an and b fb() b1,…,bn Desired Output: c= a+b fc() c1,…,cn Each player Pi sets ci := ai+bi. Then we have what we want: a+b fc() c1,…,cn, with fc() = fa()+fb() - works, since adding two random polynomials of degree ≤ t produces random polynomial of degree ≤ t Multiplication Gates Input: a fa() a1,…,an and b fb() b1,…,bn Desired Output: c= ab fc() c1,…,cn. Each player sets di := ai bi. If we set h() = fa() fb(), then di = fa(i) fb(i) = h(i). Also h(0)= ab = c Unfortunately, h() may have degree up to 2t, and is not even a random polynomial of degree at most 2t. What to do?

  15. Multiplication Gates, con’t We have public reconstruction vector (r1,…,rn) – know that c= h(0) = r1 h(1) + …+ rn h(n) = r1 d1 + … + rn dn - since deg(h)≤ 2t < n Each player Pi creates dihi() ci1, ci2,…,cin. So we have: d1h1() c11 c12 … c1n d2h2() c21 c22 … c2n … dnhn() cn1 cn2 … cnn Known by: P1 P2 Pn r1 r1 r1 + + + r2 r2 r2 + + + … … … rn rn rn = = = c1 c2 … cn c is now shared using polynomial fc(), where fc() =  ri hi() c fc()

  16. Output Opening Phase Having made our way through the circuit, we have for each output value y: y fy() y1,…, yn If y is to be received by player Pi, each Pj sends yj to Pi. Pi reconstructs in the normal way. Security, intuitively: Outputs trivially correct, since all players follow protocol For every input from an honest player, intermediate result and outputs of honest players, Adv sees at most t shares. These are always t random field elements, so reveal no information. A Simulator can make a convincing view for the adversary by just choosin random sets of t field elements.

  17. Optimality of bound n> 2t. In the passive case, it is impossible already for 2 players to compute for instance the AND function with unconditional security against both players: Inputs: from A: bit a from B: bit b Results: A and B learn a AND b Intuition: neither party can go first in revealing anything about their inputs. Slightly more formally: Suppose a=0, then A is to learn nothing. Nevertheless: using infinite computing power, A can determine if the conversation she just had with B, could have resulted from both a=0 and a=1, i.e., is my bit uniquely determined from conversation?. If not, B also learned nothing, and so must have b=0, else has b=1. Note: Multiparty case reduces to 2-party case.

  18. Protocol for Active Adversaries • General idea: use protocol for passive case, but make players prove that they send correct information. • Main tool for this: commitment scheme • Intuition: committer Pi puts secret value sK ”in a locked box” and puts it on the table. Later, Pi can choose to open the box, by releasing the key. • Hiding – no one else can learn s from the commitment • Binding – having given away the box, Pi cannot change what is inside. • We can model a commitment scheme by an ideal functionality Fcom, that offers the following commands: • Commit: player Pi sends a value s to the functionality, Fcom records it is internal memory • Open: if Pi sends this, Fcom recovers s from memory and sends it to all players. • Trivially satisfies hiding and binding since Fcom cannot be corrupted.

  19. Using Functionalities in Protocols • The plan is to use a commitment scheme, i.e., (an extention of) Fcom as a ”subrutine” to build a realization of FMPC , secure against active cheating. So we need: • A model specifying what it means to use an ideal functionality in a protocol. As a result, we can formally specify what it means that protocol ”implements FMPC when given access to Fcom”. • A theorem saying that if protocol realizes for instance Fcom securely, then it is OK to replace Fcom by . • Doing this in  would result in the desired real-life protocol for FMPC • This is exactly what the UC model gives us

  20. Definition of Fcom functionality. • Notation for commitments: [s]i • means: Pi has successfully committed to s, and Fcom has stored s in its internal memory. • Commit command Goal: create [s]i • Pi sends a value ”Commit, s”. Functionality remembers s, and informs all players that Pi committed to a value. • Pi may also send ”refuse”, then functionality sends ”fail” to all players. • Open command Goal: open [s]i • Pi sends ”open”, referring to [s]i. Functionality sends s to all players. • Pi may say ”refuse”, then functionality sends ”fail” to all players. • Can also be called as ”private open, j” where s is sent to only Pj.

  21. We need Fcom to offer more functionality, it needs to implement Homomorphic Commitments, i.e. the following two commands • CommitAdd command Goal: from [a]i and [b]i create new commitment [a]i + [b]i= [a+b]i • Executed if all honest players send a ”CommitAdd” command referring to [a]i and [b]i. • Fcom will compute a+b and store it in a new variable, as if committed to by Pi (in particular, Pi can open this new commitment, as if he had committed to a+b in the normal way.) • ConstantMult command Goal: from [a]i and public u, create new commitment u [s]i= [ua]i • Executed if all honest players send a ”ConstantMult u” command referring to [a]i. • Fcom will compute ua and store it in a new variable, as if committed to by Pi

  22. Advanced commands • From the basic Commit, Open, CommitAdd and ConstantMult commands, anything else we need can be built, but for simplicity, we define some extra commands.. • CTP command (CTP: Commitment Transfer Protocol) • Goal: from [s]i , produce [s]jfor i≠j • Executed if all honest players send a CTP command referring to [s]i, i and j. If Pi is corrupt, he may send ”refuse” instead. • If Pi refused, send ”fail” to all players, otherwise store s in a new variable as if committed by Pj, send ”success” to everyone and send s to Pj.

  23. CMP command (CMP: Commitment Multiplication Protocol) • Goal: Given [a]i[b]i [c]iPi can convince all players that c=ab (if true) • executed if all honest players send a CMP command referring to [a]i[b]i [c]i . If Pi is corrupt, he may send ”refuse”. • if Pi refused or if c≠ab, send ”fail” to all players. Otherwise, send ”success” to everyone. • CSP command (CSP: Commitment Sharing Protocol) • Goal: Given [a]i , create [a1]1, [a2]2,…,[an]n where f(i)=ai and f is a polynomial of degree at most t. • executed if all honest players send a CSP command referring to [a]i . Pi should send a polynomial f() of degree at most t. If Pi is corrupt, he may send ”refuse”. • if Pi refused, send ”fail” to all players. Otherwise, for i=1..n, compute ai = f(i) store it in a variable as if committed by Pi and send ”success” to everyone.

  24. Implementation of CSP from basic Fcom commands. Pi chooses random polynomial fa(x) = a + c1 x + c2 x2 + … + ct xt and make commitments: [c1]i, [c2]i,…, [ct]i. We define aj= fa(j). By calling the CommitAdd and ConstantMult commands, we can create commitments: [aj]i= [a]i + j[c1]i + j2 [c2]i + … + jt[ct]i. Finally, we use CTP to create [aj]j from [aj]i. During creation and manipulation of the commitments, Pi can refuse if he is corrupt (and he’s the only one who can do so). This counts as Pi refusing the entire CSP operation.

  25. Generic Implementation of CMP (Commitment Multiplication) Command • Given [a]i, [b]i, [c]i , Pi wants to convince us that c= ab. • The following convinces a single player Pj that the statement is true, it can be repeated (in parallel) so every other player gets to play the role of Pj • 1. Pi chooses  at random and makes commitments []i, [b]i • 2. Pj chooses a random challenge r (in the field GF(p)), sends to Pi • 3. Pi opens the commitment r[a]i + []i to reveal a value r1. Also opens commitment r1 [b]i – [ b]i – r [c]i, result must be 0. • 4. If any of the openings fail, Pj rejects, otherwise he accepts. • If Pi remains honest so that ab=c, Pj will always accept. Moreover, all values opened are random or fixed to 0, so no extra information to Adv. Easy to construct simulator, techniques as seen before. • If Pi is corrupt, then after step 1, if Pi can answer convincingly 2 different values of r, then ab=c - so error probability is 1/p.

  26. Protocol for Active Adversary • Adv is adaptive, unbounded and corrupts up to t players, t< n/3. • We assume Fcom is available, with the Commit, Open, CommitAdd, ConstantMult, CTP, CMP and CSP commands. • We will assume that a broadcast channel is available (not trivial when Adv is active). Can be implemented via a subprotocol if t< n/3. Broadcast not used directly in high-level protocol, but is needed for the implementation of Fcom. • Same phases as in passively secure protocol, but now we want to maintain that all players are committed to their shares of all values. • For simplicity, assume first that no one behaves such that Fcom will return fail. • Input Sharing Phase • Pi commits to his input value a: creates [a]i, then we call the CSP command. • So we have..

  27. Result of Input Sharing Phase • Each input value a has been shared by some player Pi using a polynomial fa(), where fa() is of degree ≤t. • If Pi is honest, fa() is random of degree ≤t. • Each player Pi is committed to his share in a. • Notation: • a fa() [a1]1, [a2]2,…, [an]n

  28. Computation Phase Addition Gates Input: a fa() [a1]1, [a2]2,…, [an]n and b fb() [b1]1, [b2]2,…, [bn]n Desired Output: c= a+b fc() [c1]1, [c2]2,…, [cn]n Each player Pi sets ci := ai+bi and all players compute [ci]i = [ai]i + [bi]i . Produces desired result with fc() = fa() + fb(). Multiplication Gates Input: a fa() [a1]1, [a2]2,…, [an]n and b fb() [b1]1, [b2]2,…, [bn]n Desired Output: c= a+b fc() [c1]1, [c2]2,…, [cn]n Each player Pi sets di := ai bi, makes commitment [di]i and uses CMP on commitments [ai]i, [bi]i , [di]i to show that di is correct If we set h() = fa() fb(), then di = fa(i) fb(i) = h(i). Also h(0)= ab = c So we can use essentially same method as in passive case to get to a sharing of c using a random polynomial of degree ≤t.

  29. Multiplication Gates, con’t Public reconstruction vector is still (r1,…,rn) Using same method as in input sharing phase, each player Pi creates dihi() [ci1]1, [ci2]2,…,[cin]n. So we have: d1h1() [c11]1 [c12]2 … [c1n]n d2h2() [c21]1 [c22]2 … [c2n]n … dnhn() [cn1]1 [cn2]2 … [cnn]n Committed by: P1 P2 Pn r1 r1 r1 + + + r2 r2 r2 + + + … … … rn rn rn = = = [c1]1 [c2]2 … [cn]n c is now shared using polynomial fc(), where fc() =  ri hi() c fc()

  30. Output Opening Phase Having made our way through the circuit, we have for each output value y: y fy() [y1]1,…, [yn]n If y is to be received by player Pi, ”private open i” is invoked for each commitment, such only Pi learns the shares. Opening may fail for some commitments, but the rest are guaranteed to be correct, so Pi can recontruct y in the normal way. Note: this would work, assuming only that t< n/2. In fact the entire high-level protocol works for t< n/2. It is only the implementation of Fcom that needs t< n/3.  High-level protocol can be used to get MPC for t< n/2 in the cryptographic model, if we can build a computationally secure implementation of Fcom in that scenario.

  31. How to handle Failures • If a player Pi sends refuse in some command, causing Fcom to return ”fail”: • In input sharing phase: ignore or use default value of input • In computation phase: can always go back to start, open Pi’s inputs and recompute, simulating Pi openly. Also more efficient solution: since t< n/3 at least n-t > 2t players do multiplication step correctly. So can still do multiplication step using reconstruction vector tailored to the set that behaves well. • In output opening phase: the receiver of an output just ignores incorrectly opened commitments – there is enough info to reconstruct, since n-t > t.

  32. Security of High-Level Protocol. Essentially the same simulator as for passive case will work, since the protocol follows exactly same pattern (except for the commitments).

  33. Implementing Fcom commands • Commit, Open • CommitAdd, ConstantMult • CPT protocol, CMP protocol • Idea for commitments: implement using secret sharing. To commit to s, a dealer D just creates • sf() s1,…,sn • To open, D broadcasts f(), each player Pi says if his share really was f(i). Opening accepted, if at least n-t players agree. • The good news: CommitAdd can be implemented by just locally adding shares, ConstantMult by multiplying all shares by constant. Furthermore, if D remains honest, Adv learns no information at commitment time. • The bad news: who says D distributes correctly computed shares? If not, s not uniquely determined, D may open different values later.

  34. Some Wishful Thinking.. • Suppose for a moment we could magically force D to distribute shares consistent with a polynomial f() of degree ≤t < n/3. • Then it works! • Easy to see that secret is safe if D is honest • If D corrupt, want to show that D must open to value s or be rejected. Assume D opens some s’, by broadcasting polynomial f’(). If this is accepted, at least n-t> 2t players agree  at least t+1 honest players agree  f’() agrees with f() in t+1 points f’()=f()  s=s’. • Therefore sufficient to force D to be consistent

  35. How to force consistency • Main tool: • f(X,Y) =  cij XiYj • a bivariate polynomial of degree at most t in both variables. Will assume f() is symmetric, i.e. cij =cji • Define, for 0< i,j ≤ n: • f0(X) = f(X,0), and set s= f0(0), si = f0(i) • fi(X) = f(X,i), fi(j) = sij • How to think of this: • s is the ”real” secret to be committed, using polynomial f0(). Hence f0(i) = si will be player Pi’s share in s. The rest of the machinery is just for checking. • Observations, by symmetry: • si = f0(i) = f(i,0) = f(0,i) = fi(0) • sij = fi(j) = f(j,i) = f(i,j) = fj(i) = sji

  36. Commit Protocol • Dealer D chooses random bivariate polynomial f() as above, such that f(0,0)= s, the value he wants to commit to. Sends privately fi() to player Pi. • Pi sends sij= fi(j) to Pj, who compares to sji= fj(i) – broadcast ”complaint” if conflict. • D must broadcast correct value of all sij’s complained about • If some Pi finds disagreement between broadcasted values and what he received privately from D, he broadcasts ”accuse D” • In response to accusation from Pi, D must broadcast what he sent to Pi – fi(). This may cause further players to find disagreement as in Step 4, they then also accuse D. • If D has been accused by more than t players, commit protocol fails. • Otherwise, the commitment is accepted. Accusing players from step 4 use the fi() broadcast as their polynomial. Accusing players from step 5 use the polynomial sent in step 1. Each player Pi stores fi(0) as his share of the commitment.

  37. Commitments, more concretely • In our implementation, a commitment • [a]i is a set of shares: a1 a2 ... an • held by P1 P2 Pn • where Pi knows the polynomial fa() that was used to create the shares – and where fa(0) =a. • Checking using bivariate polynomial forces Pi to create shares correctly • Opening means Pi broadcasts fa(), each Pj checks if fa(j) = aj, complains if not, opening accepted iff at most t complaints. • [a]i + [b]i means: each Pj has aj and bj, now computes cj:= aj + bj. Pi computes fc() = fa() + fb(). We now have new commitment [a+b]i, defined by shares c1,…,cn, and polynomial fc(). • u [a]i means: each Pj has aj, now computes dj:= u aj. Pi computes fd():= u fa(). We now have new commitment [ua]i, defined by shares d1,…,dn and polynomial fd().

  38. Implementing CTP (Commitment Transfer) Command: • Purpose: from [a]i, produce [a]j • Given [a]i, Pi sends privately to Pj the polynomial fa() defining the commitment. If Pj does not get something of correct form, he brodcasts a complaint and we go to the ”complain step” below • Pj creates [a’]j where a’ is the value he learned in the first step. Note that assuming Pj received correct info from Pi, he is now in state equivalent to having created [a]i himself. So we can use CommitAdd, ConstantMult to create [a]i+(-1)[a’]j which we open. The result should be 0. If yes, continue with [a’]j, accept and stop. • Complaint step: If we reach this one, clear that at least one of Pi, Pj is corrupt. Hence OK to ask Pi to open [a]i. If this succeeds, continue with default commitment by Pj to a. Else the CPT fails.

  39. Reminder: Given commitment by Pi to a value a : [a]i, the Commitment Share Protocol (CSP) works as follows: Pi chooses random polynomial fa(x) = a + c1 x + c2 x2 + … + ct xt and make commitments: [c1]i, [c2]i,…, [ct]i. The j’th share of a is aj= fa(j). Players can now immediately compute commitments to the shares: [aj]i= [a]i + j[c1]i + j2 [c2]i + … + jt[ct]i. Finally, we use CTP to create [aj]j from [aj]i. This trivially generalizes to polynomials of any degree.

  40. Implementing CMP (Commitment Multiplication) Command Given [a]i , [b]i , [c]i , Pi wants to convince us that c= ab. Pi uses CSP command to create: a fa() [a1]1, [a2]2,…, [an]n b fb() [b1]1, [b2]2,…, [bn]n c fc() [c1]1, [c2]2,…, [cn]n Where fc() = fa() fb() Even if Pi corrupt, this guarantees that all committed shares are consistent with polynomials of degree at most t, t, and 2t, and that fa(0)=a, fb(0)=b, fc(0)=c. Hence sufficient to verify that indeed fc() = fa() fb(): Each Pi checks that ci= ai bi. If not he complains and proves his case by opening the commitments. Honest players will do this correctly, so we know that fc() agrees with fa() fb() in at least n-t > 2t points  fc() = fa() fb().

  41. Proving Fcom implementation is secure Basic Ideas: When corrupt player commits, simulator can reconstruct value committed to from the messages sent, because consistency is enforced. So you know what to send to Fcom. When honest player commits to value s, s is not known to simulator. So we show the adversary random values in place of the shares in s that the honest player would send. At opening time, simulator gets s from Fcom, then complete set of shares to a complete set of shares in s, and claim this was what the honest players held. Leads to perfect simulation. Note on the Fcom implementation: it is based on Shamir’s threshold secret sharing scheme. But it is has been designed such that any linear secret sharing scheme can be plugged in instead (more on this later). Using special properties of Shamir’s scheme, some parts can be done more efficiently. For instance, Commit protocol based on Shamir is already itself a CSP, fi()-polynomials can be used as commitments to shares in s – details in notes.

  42. Another Improvement of Fcom (works only for Shamir case) • Alternative Open protocol • Commitment [s]i has been established using • sf() s1,…,sn • Each player Pj sends sj to every other player • From received shares, each player reconstructs s using algorithm given below. • Does not require use of broadcast, which is often very expensive • This works, if we can construct algorithm with the following property: • Given a set of values s’1,s’2,….,s’n where s’i = f(i) for a polynomial of degree at most t< n/3, except for at most t values, compute f(). • We already proved that since t< n/3, only one polynomial can be consistent with enough values, so can find f() by exhaustive search. Can we do it efficiently?

  43. Algorithm Construct a bivariate polynomial Q(X,Y), such that for i=1…n: Q(i, s’i) = 0 Q(X,Y) = f0(X) – f1(X)Y Where deg(f0) at most 2t and deg(f1) at most t. Conditions on Q() define linear system of equations with coefficients of f0, f1 as unknowns, so easy to find Q() if it exists. Hence enough to show that 1. a Q() of correct form always exists. 2. desired f() easy to find from f0, f1. As for 1, let A be the set of positions where the s’i do not agree with f(). If we set k(X) = i A(X-i) then Q(X,Y) = k(X) f(X) – k(X) Y does the trick. For 2. define Q’(X) = Q(X,f(X)). Turns out that Q’(i)=0 for all i not in A, so Q’(X) = f0(X) – f1(X)f(X) = 0  f(X) = f0(X)/f1(X)

  44. Optimality of the bound n> 3t In active case, it is impossible to do broadcast already for 3 players when 1 can be corrupt: Assume players A,B,C, A wants to broadcast bit b. A may send b to B and C, but e.g. B does not know if C received same bit as him. Only possibility is to ask B. If inconsistency, clear that A or C is corrupt, but no way to tell which one!

  45. How to go from threshold to general adversaries. Use same ideas, but more general form of secret sharing… Shamir’s scheme can be written as fixed matrix secret+randomness shares 1 11 12 … 1t a a1 1 21 22 … 2t r1 =a2 … .. .. rt .. 1 n1 n2 … nt an Each player ”owns” a row of the matrix and is assigned the share corresponding to his row. Can be generalized to other matrices than Van der Monde, and to more than one row pr. player.

  46. Linear Secret Sharing Schemes (LSSS). s Rows of P1 Share of P1 Share of P2 Rows of P2 = M Randomness …… Rows of Pn Share of Pn Subset A can reconstruct s if their rows span (1, 0, 0,…,0), otherwise they have no information. LSSS is most powerful general SS method known, can handle any adversary structure – but cannot be efficient on any structure (counting argument). Shamir, Benaloh-Leichter, Van Dijk, Brickell are special cases.

  47. Reminder Adversary StructureΓ: family of subsets of P= {P1,…,Pn} List of subsets the adversary can corrupt. Threshold-t structure: contains all subsets of size at most t. Γ is Q3: for any A1,A2,A3  Γ, A1A2 A3 is smaller than P Γ is Q2: for any A1,A2  Γ, A1A2 is smaller than P To make our protocol work for general Q2/Q3 adversaries, basically we plug in an LSSS M for Γ instead of Shamir’s scheme. Does this work? Let va be the vector chosen in order to secret share value a. Then complete set of shares is the vector M va. We can securely add shared secrets, local addition of shares of a and b means we compute M va + M vb = M(va + vb) - produces shares of the sum a+b, since vector va+vb has a+b in first coordinate.

  48. Multiplication? For vectors u =(u1,…,ud), v= (v1,….,vd) let u◊v = (u1v1,…,udvd) and uv =(u1v1, u1v2,…,u1vn, u2v1,......, udvd) Now, given shares of a,and b, M va and M vb , we can compute by local multiplication M va ◊ M vb. where each player knows a subset of the entries. We haveM va ◊ M vb= (M  M)(va vb) where M  M is the matrix containing as rows all -products of rows in M with themselves. Note: va vb contains ab in the first coordinate. Thus we have produced a sharing of ab in a LSSS defined by M  M. Definition M is multiplicative if the set of all players is qualified in the LSSS defined by M  M. If M is multiplicative, we can use the same idea as for polynomial secret sharing to convert the sharing using M  M to a sharing using M.

  49. A matrix M defining a LSSS is NOT always multiplicative. However: Theorem[CDM 00]: from any LSSS M for a Q2 adversary structure, can always construct multiplicative M’ of size at most twice that of M. This implies: from any LSSS M for Q2 adversary structure Γ, can build general MPC protocols with perfect security against passive, adaptive Γ-adversaries . Can get protocol for active adversaries and Q3 adversary structure also, by generalizing from the threshold protocol we have seen: Must implement commitments - same idea as before, secret share committed value using M. Since adversary structure is Q3, committed value still determined if sharing is consistent. To verify consistency, use bivariate polynomial technique, generalized to LSSS’s, same commit protocol applies. For details, see [CDM 00], full version on my web page.

  50. MPC from LSSS, cont’d Everything else in the Fcom implementation is generic and generalizes immediately to any LSSS, except the CMP protocol. Generalizing CMP requires an extra property: the given LSSS must be strongly multiplicative. Definition M is stronglymultiplicative if the set of honest players is qualified in the LSSS defined by M  M. Not known whether from LSSS M for Q3 adversary structure, we can build strongly multiplicative M’ not much larger than M – the major open problem in this area! Fortunately, there is a solution that works for ANY homomorphic commitment scheme, and is only inferior in that it has an exponentially small error probability…

More Related